Discovery & Public Keys
Overview
The discovery and public-key endpoints allow external clients to automatically discover:
- Available token endpoints (issuance, introspection, revocation)
- Supported grant types and client authentication methods
- Public signing keys for offline JWT validation
Both endpoints are public and require no authentication.
OAuth2 Discovery Endpoint
The discovery endpoint publishes metadata about the OAuth2 provider, including all token-related endpoints and supported features.
Endpoint
| Mode | Method | Endpoint |
|---|---|---|
| Manage From This Policy | GET | https://yourApinizerAddress/auth/.well-known/oauth-authorization-server |
| Manage From ACL | GET | https://yourApinizerAddress/credential/.well-known/oauth-authorization-server |
Request
No request body or authentication required.
curl -X GET \
"https://yourApinizerAddress/auth/.well-known/oauth-authorization-server"
Response (200 OK)
{
"issuer": "https://yourApinizerAddress/auth",
"token_endpoint": "https://yourApinizerAddress/auth/token",
"introspection_endpoint": "https://yourApinizerAddress/auth/introspect",
"revocation_endpoint": "https://yourApinizerAddress/auth/revoke",
"jwks_uri": "https://yourApinizerAddress/auth/.well-known/jwks.json",
"grant_types_supported": [
"client_credentials",
"password",
"refresh_token"
],
"token_endpoint_auth_methods_supported": [
"client_secret_basic",
"client_secret_post"
]
}
| Field | Type | Description |
|---|---|---|
| issuer | string | The issuer identifier (the /auth or /credential base address) |
| token_endpoint | string | Address for issuing opaque OAuth2 tokens |
| introspection_endpoint | string | Address for introspecting tokens |
| revocation_endpoint | string | Address for revoking tokens |
| jwks_uri | string | Address for retrieving public signing keys (JWKS) |
| grant_types_supported | array | List of supported grant types (client_credentials, password, refresh_token) |
| token_endpoint_auth_methods_supported | array | List of client authentication methods (client_secret_basic, client_secret_post) |
Load Balancer & Forwarded Headers
When Apinizer runs behind a load balancer or ingress (e.g., Kubernetes, NGINX, AWS ALB) that terminates TLS, the advertised endpoint addresses are derived from HTTP forwarded headers:
X-Forwarded-Proto(for https vs http)X-Forwarded-Host(for domain and port)
Make sure your load balancer or ingress passes these headers through to Apinizer. Otherwise, the published addresses will point to the internal address instead of the external address clients actually use.
JWKS (JSON Web Key Set) Endpoint
The JWKS endpoint publishes the public part of the signing key, so that external systems can verify the signature of Apinizer-issued JWT tokens offline, without calling Apinizer for each request.
Endpoint
| Mode | Method | Endpoint |
|---|---|---|
| Manage From This Policy | GET | https://yourApinizerAddress/auth/.well-known/jwks.json |
| Manage From ACL | GET | https://yourApinizerAddress/credential/.well-known/jwks.json |
Request
No request body or authentication required.
curl -X GET \
"https://yourApinizerAddress/auth/.well-known/jwks.json"
Response (200 OK)
{
"keys": [
{
"kty": "RSA",
"kid": "key-id-1",
"use": "sig",
"n": "0vx7agoebGcQSuuPiLJXZptN...",
"e": "AQAB",
"alg": "RS256"
}
]
}
| Field | Type | Description |
|---|---|---|
| keys | array | List of public keys in JWK format |
| kty | string | Key type (e.g., RSA, EC) |
| kid | string | Key identifier; matches the kid claim in JWT headers, so verifiers can select the correct key |
| use | string | Key usage; sig means the key is used for signing |
| n, e | string | RSA modulus and exponent (for RSA keys) |
| alg | string | Algorithm used for signing (e.g., RS256, HS256) |
Key Identifier Matching
Each issued JWT carries a key identifier (kid) in its header. Verifiers match the JWT's kid to one of the keys returned from the JWKS endpoint, then use that key to verify the signature.
JWKS Not Available for Opaque Tokens
This endpoint is meaningful for JWT tokens only. OAuth2 (opaque) tokens have no public key because they are validated server-side via the introspection endpoint. If you need to check opaque token validity, use the token introspection endpoint instead.
Public Key Only
This endpoint publishes only the public part of the signing key. The private key is never exposed and is stored securely on the server.
Related Pages
- JWT Token Endpoint — Issue JWT tokens
- OAuth2 Token Endpoint — Issue opaque tokens
- Token Introspection — Check token validity
- Token Revocation — Revoke tokens